Passive reconnaissance involves collecting information without direct interaction with the target's systems, which mitigates the risk of detection. DNS lookups fit this description, as they can be done using external tools and do not require any interaction with the target's network, allowing a penetration tester to map out the structure of the domain discreetly.